From owner-freebsd-pf@FreeBSD.ORG Wed Feb 27 21:10:41 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC841106566B for ; Wed, 27 Feb 2008 21:10:41 +0000 (UTC) (envelope-from linux@giboia.org) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.235]) by mx1.freebsd.org (Postfix) with ESMTP id A5CD88FC16 for ; Wed, 27 Feb 2008 21:10:41 +0000 (UTC) (envelope-from linux@giboia.org) Received: by wr-out-0506.google.com with SMTP id 68so4524068wri.3 for ; Wed, 27 Feb 2008 13:10:40 -0800 (PST) Received: by 10.142.147.15 with SMTP id u15mr5789584wfd.149.1204146639122; Wed, 27 Feb 2008 13:10:39 -0800 (PST) Received: by 10.142.179.18 with HTTP; Wed, 27 Feb 2008 13:10:38 -0800 (PST) Message-ID: <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> Date: Wed, 27 Feb 2008 18:10:38 -0300 From: "Gilberto Villani Brito" To: freebsd-pf@freebsd.org In-Reply-To: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> Subject: Re: floating keep state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2008 21:10:42 -0000 I didnt understand this rule: pass in quick proto tcp to port $www_tcp_ports flags S/SA keep state I think is: pass in quick proto tcp from any to port $www_tcp_ports flags S/SA keep state -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com On 27/02/2008, Vadym Chepkov wrote: > All, > > I must be doing something wrong, but I can't figure it out. > I actually simplify the network structure, to keep it simple > > - a client and a web server are on different network segments; > - all incoming connections to the client are prohibited; > - client should be allowed to access web server and get a reply; > > Here are the rules: > > set state-policy floating > pass in quick proto tcp to port $www_tcp_ports flags > S/SA keep state > block in log to > > In the pflog I can see that reply packet from www server is blocked on > server's segment interface. I thought 'set state-policy floating' > should create a rule interface independent and allow a reply? Am I > wrong? > > Thank you, > > Vadym Chepkov > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >